2. 2
Scope:
• Cloud Fundamentals
• Cloud Models & Approaches
• Intro to OpenStack
• Reference Architecture & Framework
• Intro to CSA1 Cloud Control Matrix (CCM)
• 16 Domains & 133 Controls
• Intro to DMTF2 Cloud Auditing Data Federation (CADF)
• Risks Management Challenges & Opportunities
• 10 Steps to Manage Cloud Security by CSCC3
• Q&A
Objective: Provide an overview of Cloud Risk Management and Audit
1. CSA: Cloud Security Alliance
2. DMTF: Distributed Management Task Force
3. CSCC: Cloud Standards Customers Council
3. 3
Acronyms
• ADFS: Active Directory Federated Services
• CADF: Cloud Auditing Data Federation
• CSA: Cloud Security Alliance
• CSCC: Cloud Standards Customers Council
• DMTF: Distributed Management Task Force
• ENISA: European Network and Information Security Agency
• GRC: Global Regulatory Compliance
• LDAP: Lightweight Directory Access Protocol
• NIST: National Institute of Standards and Technology
• NIST CC SRA: Cloud Computing Standard Reference Architecture
• SAML: Security Authorization Markup Language
• SCIM: System for Cross-domain Identity Management
• SLA: Service Level Agreement
• SLO: Service Level Objectives
• SSAE 16: Statement on Standards for Attestation Engagements (SSAE) No. 16
• XACML: eXtensible Access Control Markup Language
4. 4
Cloud… where is the money?
Example recent news:
Deutsche Bank signs 10 years multibillion-dollar IT deal with HP in Feb 2015
Solution: HP Helion OpenStack based Cloud Services
HP will provide computing capacity and data storage to host Deutsche's operations.
Deutsche will retain activities such as IT architecture and information security.
Pareto Principle
Infrastructure/Platform
Management
Data Center
Server Resources
OS
Platforms
Application Management
Business Focus
20%
80%
Application Management
Business Focus
Innovations
Creativity
Agility
80%
Infrastructure/Platform
Management
CloudResources
20%
Traditional Environment Cloud Environment
5. 5
Cloud computing basics
NIST Definition:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction. This cloud model is
composed of five essential characteristics, three service models, and four deployment
models.
Ref: NIST Cloud Computing Definition SP 800-145 http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
5 Essential Characteristics
• On-demand self-service
• Resource pooling
• Rapid elasticity
• Measured service
• Broad network access
3 Service Delivery Models
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
4 Deployment Models
• Public Cloud
• Private Cloud
• Community Cloud
• Hybrid Cloud
6. 6
Essential Characteristics Of Cloud Computing
Characteristics Description
On-Demand Self Service
Authorized agencies must be able to provide and release capabilities, as needed,
automatically, without requiring human interaction with each services provider.
Broad Network Access
Once provisioned, the software, platform, or infrastructure maintained by the cloud
provider should be available over a network using thin or thick clients.
Resource Pooling
The resources provisioned from the cloud provider should be pooled to serve multiple
agencies or programs using a multi-tenant model, with different physical and virtual
resources dynamically assigned and reassigned according to the agency’s self-service
demand.
Rapid Elasticity
Elasticity is defined as the ability to scale resources both up and down as needed.
Cloud Computing capabilities should be rapidly and elastically provisioned and
released.
Measured Service
Cloud resource usage should be monitored, controlled, and reported providing
transparency for both the provider and consumer of the service.
Ref: NIST Cloud Computing Definition SP 800-145 http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
8. 8
Private vs. Public: Understanding the Trade-Offs
Enterprise 1 Enterprise 2
Private Cloud
Private Cloud
• Designated enterprise data
center (or segment)
managed centrally
• Data center resources shared
by all divisions, protected by
enterprise central controls
• Divisions of enterprise act as
independent tenants
• Some elasticity of resources;
good resource utilization;
reduced cost of business
No Cloud
Enterprise IT
• Each enterprise division
manages its own data center
(or a subdivision)
• Exclusive local control of
resources
• Internally borne costs and
burdens of management
• High-cost overcapacity, low
resource utilization
Virtual Private
Cloud
Virtual Private Cloud
• Third-party data center providers
(public cloud characteristic)
• Data center sharing is restricted
to only the divisions of this
enterprise (private cloud
characteristic)
• Divisions of enterprise act as
independent tenants (private
cloud characteristic)
• Some elasticity; good resource
utilization; low cost of business
Community
Cloud
Community Cloud
• Consortium or a government
scope data center (larger than
private, but smaller than public)
• Members of the consortium or
government agencies act as
independent tenants
• Data center resources are shared
by all members; consortium
provides security, privacy and
capacity
• Good elasticity of resources; high
resource utilization; reduced cost
of business
Public Cloud
• Third-party data center
providers
• Computing resources shared
by independent enterprises
(tenants), protected by third
parties in cloud
• Maximum elasticity;
maximum resource
utilization; low cost of
business
Public Cloud
9. 9
Private vs. Public: Understanding the Trade-Offs
Enterprise 1 Enterprise 2
Private Cloud
Private Cloud
• Designated enterprise data
center (or segment)
managed centrally
• Data center resources shared
by all divisions, protected by
enterprise central controls
• Divisions of enterprise act as
independent tenants
• Some elasticity of resources;
good resource utilization;
reduced cost of business
No Cloud
Enterprise IT
• Each enterprise division
manages its own data center
(or a subdivision)
• Exclusive local control of
resources
• Internally borne costs and
burdens of management
• High-cost overcapacity, low
resource utilization
Virtual Private
Cloud
Virtual Private Cloud
• Third-party data center providers
(public cloud characteristic)
• Data center sharing is restricted
to only the divisions of this
enterprise (private cloud
characteristic)
• Divisions of enterprise act as
independent tenants (private
cloud characteristic)
• Some elasticity; good resource
utilization; low cost of business
Community
Cloud
Community Cloud
• Consortium or a government
scope data center (larger than
private, but smaller than public)
• Members of the consortium or
government agencies act as
independent tenants
• Data center resources are shared
by all members; consortium
provides security, privacy and
capacity
• Good elasticity of resources; high
resource utilization; reduced cost
of business
Public Cloud
• Third-party data center
providers
• Computing resources shared
by independent enterprises
(tenants), protected by third
parties in cloud
• Maximum elasticity;
maximum resource
utilization; low cost of
business
Public Cloud
Autonomy
Cost-Efficiency
10. 10
Workloads shifting to the Cloud
Traditional IT
• Server capacity on demand
• Business apps (CRM, ERP)
• IT management
• Email
• Personal productivity apps
• Website creation & management
• Storage capacity on demand
• Server capacity on demand• App dev. & test
• Tech. computing apps
• Data analysis and mining
• Custom apps
• Apps with sensitive data
Private cloud Public cloud
• IT help desk
• Collaborative apps
• Data backup/archive svcs
Cloud computing complements traditional IT
11. 11
Enterprise Architecture and Cloud Architecture
Business
Architecture
Information
Architecture
Application
Architecture
Technology &
Infrastructure
Architecture
Service Delivery
What, Who, Why
• Mission
• Vision
• Stakeholders
• Operating
Model &
Processes
• Value Chain
Models
• Metrics &
Measures
• Align Business
Strategy to IT
Strategy
What, How
• Data Models
• Data Flows
• Interface,
Integration &
Interoperability
• Relevance to
Business
functions
With what
• Applications
• Tools
• Functions
• Capabilities
• Workflows
With what
• Servers
• Software
• Network
• Storage
• GRC, Legal,
Security &
Privacy
• Data Centers
Sites
How & How much
• Deployment
• Chargeback
• Break fix
• SLAs/SLOs
• Operations &
Management
Enterprise Architecture focus
Cloud Architecture focus
IaaS & PaaS
12. 12
Promise of Cloud Computing
Cloud will not necessarily help map IT to business but…
Cloud could enable:
• Economies of scale & Improved resources utilization
• Reduced capital spending on technology infrastructure
• Lower barriers to entry for small businesses & lower start-up costs
• Usage based billing (pay as you go)
• Globalization of workforce
• Faster Deployment, Onboarding, Provisioning & De-provisioning
• Improved accessibility anytime & anywhere
• Improved transparency for Integration & flexibility
• Implementation of Chargebacks
• Improved Operations support & Provide SLAs / SLOs
• More predictable delivery of projects
• Reduced software licensing costs
Challenges & success factors…
• Legacy migration
• Integration & Interoperability
• Data & Applications Architecture
• Technology compatibility Issues
• Security & Privacy risks
• Legal & Regulatory Compliance
• Management of Change
13. 13
Cloud simplifies IT services, but realize there is a lot behind this
Security
management
services
Access devices
Cloud services
SaaS PaaS IaaS
Cloud platform
Demand
Identity & access
management services
IT management services with
security impact
IT management framework
Delivery
Supply
14. 14
And make sure you understand security
Security
management
services
Access devices
Malware protection
Network security
Client security
Data protection
Application security
Cloud services
SaaS PaaS IaaS
Application
security
Secure
SDLC
Instance
security
Cloud platform
Supply
Delivery
Demand
Account management
Access control management
Authentication
Key management
Identity provisioning
Federation
Auditing
Change management
Patch management
Configuration management
GRC
Capacity management
Availability management
Incident management
Virtualization managment
Vulnerability management
SIEM
Compliance management
Security service portal
Identity&access
management
services
ITmanagementservices
withsecurityimpact
IT management framework
Application security, data protection and availability
Malware protection
Network security
Server security
Client security
Storage security
Data protection
Virtualization security
Platform availability
Cloudplatformsecurity
Securitymonitoring
Physical security
15. 15
Secure Cloud Environment technologies & concepts
Segmentation and Isolation
Threat Detection and Mitigation
Security Information & Event Management (SEIM) / Log Management
Incident Response and Forensics
Identity & Access Management
Data Protection; Data & Information Security
Secure Software Development
Vulnerability Scanning and Patch Management
Physical & Personnel Security
Security Policy Management
Endpoint Management
16. 16
Cloud Models & Approaches
Ref: OpenNebula.org http://opennebula.org/eucalyptus-cloudstack-openstack-and-opennebula-a-tale-of-two-cloud-models/
Datacenter Virtualization:
Cloud as an extension of
virtualization in the datacenter; hence
looking for a vCloud-like
infrastructure automation tool to
orchestrate and simplify the
management of the virtualized
resources.
Infrastructure Provision:
Cloud as an AWS-like cloud on-
premise; hence looking for a
provisioning tool to supply virtualized
resources on-demand.
17. 17
Factors for choosing Cloud Models & Approaches
Datacenter Virtualization Infrastructure Provision
Applications
Multi-tiered applications defined in a
traditional, “enterprise” way
“Re-architected” applications to fit into the
cloud paradigm
Interfaces Feature-rich API and administration portal Simple cloud APIs and self-service portal
Management
Capabilities
Complete life-cycle management of virtual
and physical resources
Simplified life-cycle management of virtual
resources with abstraction of underlying
infrastructure
Cloud Deployment Mostly private Mostly public
Internal Design
Bottom-up design dictated by the
management of datacenter complexity
Top-down design dictated by the efficient
implementation of cloud interfaces
Enterprise Capabilities
High availability, fault tolerance, replication,
scheduling… provided by the cloud
management platform
Most of them built into the application, as in
“design for failure”
Datacenter Integration
Easy to adapt to fit into any existing
infrastructure environment to leverage IT
investments
Built on new, homogeneous commodity
infrastructure
29. 29
DMTF Cloud Auditing Data Federation (CADF) Standard
Defines a full event model anyone can use to fill in the essential data needed to certify, self-manage
and self-audit application security in cloud environments. CADF is part of the DMTF’s Cloud
Management Initiative.
Auditing using a standard such as CADF has many benefits:
• Create and request customized views for Audit & Compliance data
• Track regional, industry and corporate policy compliance using standardized APIs / Reports
• Key event data is normalized and categorized to support auditing of hybrid Cloud applications
• CADF assures consistent mappings across cloud components and cloud providers
• Format is agnostic to the underlying provider infrastructure
• Provides transparency for low-level operational processes
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Customer Benefits:
• Ability to self manage auditing of their data
• Similar reports from different Cloud service providers
• Aggregate audit data from different Clouds / Partners
• Auditing processes & tools unchanged
30. 30
Cloud Auditing Data aggregated from multiple sources
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Company A’s
OSS/BSS Processes
Company A
Company A’s
Auditor
Company A’s Hybrid Applications
Standard API’s for requesting
Audit Data
Standard Audit Data
(Logs and Reports)
Cloud Provider P1
Company A’s Hybrid Applications
Cloud Provider P2
Company A’s Hybrid Applications
Aggregate Audit Data
from Hybrid Applications
StandardAPI’sfor
requestingAuditData
OSS: Operational Support Services
BSS: Business Support Services
31. 31
CADF Taxonomy
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Includes:
• Resources by the role played in the event ex: Initiator, Target, Observer.
• Actions used to classify the event by the activity that caused it to be generated.
• Outcomes used to describe the outcome of the attempted action of the event.
CADF Event Model: Basic and conditional
model components
Model Component CADF Definition
OBSERVER
The RESOURCE that generates the CADF Event Record based on its
observation (directly or indirectly) of the Actual Event.
INITIATOR
The RESOURCE that initiated, originated, or instigated the event's ACTION,
according to the OBSERVER.
ACTION
The operation or activity the INITIATOR has performed, attempted to
perform or has pending against the event's TARGET, according to the
OBSERVER.
TARGET
The RESOURCE against which the ACTION of a CADF Event Record was
performed, was attempted, or is pending, according to the OBSERVER.
NOTE A TARGET (in the CADF Event Model) can represent a plurality of
target resources.
OUTCOME
The result or status of the ACTION against the TARGET, according to the
OBSERVER.
32. 32
CADF Event Model and REPORTERCHAIN construction
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
CADF Event Model: Basic and conditional model components
Example of REPORTERCHAIN construction
33. 33
CADF 7 essential W’s auditing and monitoring
CADF Event Model: Basic and conditional
model components
What
What activity occurred? What was the result?
event.action
event.outcome
event.type (activity, monitoring, control)
event.reason (ex: security, reason code, policy id)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP2038_1.0.0.pdf
CADF Event Model and it’s components
• Work for any Activity Monitoring or, Control event
• Provides guidance on how to record Basic, Detailed or, Precise information for each component
When
When did the action happen? When was it observed?
How long did it take? ISO 8601 transactions Timestamp
event.eventTime
reporter.timestamp, event.duration
Who
Who (user/service) initiated the Action?
initiator.id; initiator.type
initiator.id (id, name)
initiator.credential
initiator.credential.assertions
Legend: Italics are optional properties
1
2
3
Where
Where was the Action observed, reported or,
modified? What role does the event serve? How
was it recorded?
observer.id, observer.type
reporterstep.role, reporterstep.reporterTime
4
On What
On What resource did the Activity Target?
target.id
5
FromWhere
From Where the Action was initiated?
May include
• logical/physical addresses
• ISO-6709-2008, precise geolocations
initiator.addresses, initiator.host, initiator.geolocation
6
ToWhere
To Where was the Action Targeted?
Can be as simple as an IP address or server name.
target.addresses, target.host, target.geolocation
7
34. 34
CADF Resource Top-level Taxonomy hierarchy
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
storage Logical resources that represent storage containers.
compute Logical resources that are used to perform logical operations or calculations on data.
network Logical resources that interconnect computer systems, terminals, and other equipment allowing information to be exchanged.
data Logical named sets of information (objectified data) that are referenced and managed by services.
service Logical set of operations, packaged into a single entity, that provides access to and management of cloud resources (for a given domain).
system
Logical resources that are a combination of several other [cloud] resources that operate as a functional whole, this combination being manageable
(created, operated, audited, etc.) as a unit, i.e., offering some operations that could activate lower-level operations over each of the subresources.
unknown
This resource indicates that the OBSERVER of the event is not, to the best of its ability, able to classify a resource that contributed to the actual event
it is reporting on using any other valid resource taxonomy value.
35. 35
CADF Resource Taxonomy - Storage subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
node Logical resource that contains the necessary processing components to store data.
volume Logical unit of persistent data storage that may or may not be physically removable from the computer or storage system.
memory Logical unit of data storage that is used for dynamically processing data.
container Logical unit of storage where data objects are deposited and organized for persistent storage.
directory Logical storage used to organize records about resources (e.g., files, subscribers, etc.) along with their locations and other metadata. Typically, these
records are organized in a hierarchical structure.
database Logical storage used to organize data to a model (schema) that reflects relevant aspects of a specific real-world application.
queue Logical storage of a list of data waiting to be processed.
36. 36
CADF Resource Taxonomy - Compute subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
node Logical resource that contains the necessary processing components to execute a workload.
cpu Logical resource that represents a unit processing power that can consume a workload.
machine Logical resource that encapsulates both CPU and Memory.
process An instance of a granular workload, such as an application or service that is being executed.
thread A separable function of a running process that shares its virtual address space and system resources.
37. 37
CADF Resource Taxonomy - Network subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
node
A logical resource that can be networked and can provide services on data from network connections. A node may export zero or more endpoints
(zero implies it is has not been provisioned).
host A network node that can perform operations or calculations on data.
connection A single network interaction involving two or more endpoints (sources and destinations).
domain Represents a logical grouping of networked resources.
cluster Represents a logical combination of tightly coupled, network resources.
38. 38
CADF Resource Taxonomy - Service subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
bss Business Support Services (BSS), The logical classification grouping for services that are identified to support business activities.
composition The logical classification grouping for services that supports the compositing of independent services into a new service offering
compute Infrastructure services for managing computing (fabric).
database Database Services (or DB-as-a-Service) Database services that permit substitutability to various provider implementations.
image Infrastructure services for managing virtual machine images and associated metadata.
network Infrastructure services for managing networking (fabric).
oss
Operational Support Services (OSS); The logical classification grouping for services that are identified to support operations including communication, control,
analysis, etc.
security
Security Services (or Sec-as-a-Service) The logical classification grouping for security services including Identity Mgmt., Policy Mgmt., Authentication,
Authorization, Access Mgmt., etc. (a.k.a. “Security-as-a-Service”)
storage Infrastructure services for managing storage (fabric).
storage block Infrastructure services for managing Block storage.
storage object Infrastructure services for managing Object storage.
39. 39
CADF Resource Taxonomy Composition, OSS & BSS subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
bssbilling Business services to manage different types of charges for cloud-based resources relevant to a given customer.
bsslocation Business services to manage the location, physical or virtual, of cloud-based resources as well as clients (e.g., mobile devices).
bssmetering Business Services to manage the measurement of cloud-based resources (e.g., utilization, transactions, performance, etc.), often to determine how to bill for service usage.
composition
orchestration
Composition services that automate the management of complex applications, services, platforms and/or infrastructures to align them to fulfill business and service agreements and operational policies.
composition
workflow
Composition services that sequence connected steps that support management of a document (e.g., transaction, order, service template, etc.) through a complex system of applications, services, platforms and/or infrastructures.
osscapacity Operational services that ensure that the resource capacity allocated to an application (including compute, storage and networking resources) matches its current utilization.
ossconfiguration Operational services that manage and monitor configuration changes on applications to avoid incompatibilities that can result in reduced performance or compliance failures.
osslogging Operational services that capture or record information and identifying data about actions that occur in a system. This includes data that could be or contribute to auditable event records,
ossmonitoring Operational services that monitor for ensure the availability of services and that they are provided in accordance with terms of Service License Agreements (SLAs).
ossvirtualization Operational services that manage virtualization of ‘compute’, ‘storage’, and ‘network’ infrastructure.
bsscrm Customer Relationship Mgmt. (CRM) Services (example extension of the “bss” classification)
bsserp Enterprise Risk Mgmt. (ERM) Services (example extension of the “bss” classification)
bsssrm Service Request Mgmt. (SRM) Services (example extension of the “bss” classification)
40. 40
CADF Resource Taxonomy - Data subtree (1 of 2)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
catalog A data resource used to register resources along with information or metadata about them and perhaps provide links to them.
config A data resource that contains information such as settings and parameters that could be used for configuring a resource (or parts of it).
directory The parent classification for all directory related data objects.
file A logical block of data for storing information in a filesystem, which is available to computer programs
image A readily usable or processable set of data that can be easily transferred between processing domains.
log
A data resource used to record events from automated computer programs. Typically used to provide an audit trail that can be used to understand the activity of a
system and to diagnose problems.
message A block of information that is transmitted over a connection between networked endpoints.
message/str
eam
A continuous message or series of messages between networked endpoints.
module A portion of a program typically aligned with a specific functional set.
package A wrapped collection of files and data, along with metadata, meaningful to the processing domain that will utilize it.
41. 41
CADF Resource Taxonomy - Data subtree (2 of 2)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
report A data resource that contains one or more event records that are compiled with other auditing information in response to some step within an auditing process.
template
A data resource that serves as a pattern, stencil, or gauge for instantiating a new resource or set of resources. For example, a template that describes the topology
and relationships of an application’s services and its network to a cloud provider for deployment and management.
workload A set of data that represents the amount of work that computational nodes can consume at a given time.
Workload/a
pplication
A workload that performs a wide range of operations, some may be exported as services.
Workload/se
rvice
A workload that perform a single or a few specialized operations. See A.2.10 when specific services are described in events apart from generic management as
compute workloads.
database
(obj)
The parent classification for all database-related data objects. See clause A.2.13 ("Database (data object) subtree classifications“), which shows the full set of
database-related classifications.
security
(obj)
The parent classification for all security-related data objects. See clause A.2.12 (“Security (data objects) subtree classifications“), which shows the full set of
security-related classifications.
42. 42
CADF Resource Taxonomy - Security subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
account Represents a business agreement for providing regular services between a provider and consumer.
acc/user Is an account representing a person assigned access to use cloud resources or applications.
acc/admin Is an account representing a person assigned administrative access to resources.
credential Represents security data that is transferred to establish a claimed identity. [SAML Gloss]
group Represents named groups to which users or roles can be assigned that carries access rights or entitlements its members inherit.
identity Represents the essence of an entity (e.g., a user or service) and may describe the entity’s characteristics and properties.
key Is a secret token used to protect data typically through signing or encryption. The key (or its public variant) can be provided to one or more parties that enable access to the protected data
license Represents an authorization or permission to do something on, or with, somebody else’s resources.
policy Represents security data that contains rules and procedures that regulates resources within a system.
profile Represents security data that defines extended rules, constraints or properties that apply to particular domains
role Represents named jobs or functions users may be assigned. A role may carry access rights and entitlements that users inherit from being assigned to that role.
node
Represents a network node (e.g., router, server, etc.) acting with some (perceived) credential or authority to perform some action against another resource. This would be used if limited information is known to the
event's observer (e.g., perhaps only an endpoint address is known).
43. 43
CADF Resource Taxonomy - Database subtree
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
alias
An alias is an alternative name for an object such as a table, a view or another alias. It can be used to reference an object wherever that object can be referenced
directly.
index A set of pointers that are logically ordered by the values of one or more keys. They are typically used to improve performance and ensure key uniqueness.
instance A logical representation of the structures, memory and storage used to realize a database, its objects and data.
key A property used to identify data stored in a database table. Typically, each table has a primary key that uniquely identifies records.
routine An executable database object that perform operations on other database objects.
schema
A collection of named objects that are grouped logically. A schema is also a name qualifier; it provides a way to use the same natural name for several objects, and to
prevent ambiguous references to those objects.
sequence
A stored object that simply generates a sequence of numbers in a monotonically ascending (or descending) order. Sequences provide a way to have the database
manager automatically generate unique keys and to coordinate keys across multiple rows and tables.
table
A logical structure made up of columns and rows. At the intersection of every column and row is a specific data item called a value. There is no inherent order of the
rows within a table.
view An alternative way of looking at the data in one or more tables.
44. 44
CADF Action Taxonomy hierarchy (1 of 3)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
create The target resource described in the event was created (or an attempt was made to do so) by the initiator resource.
read Data was read from the target resource by the initiating resource (or an attempt was made to do so).
update One or more of the target resource's properties were modified or changed by the initiator resource.
delete The target resource described in the event was deleted (or an attempt was made to do so) by the initiator resource.
monitor The target resource is the subject of a monitoring action from the initiating resource.
backup The target resource described in the event is being persisted to storage without regard to environment, context, or state at the time of storage.
capture
The target resource described in the event is being persisted to storage along with relevant environment and state information (e.g., program settings, network
state, memory/cache, etc.). Conceptually, a “snapshot” of the resource is being captured at a moment in time.
configure The target resource described in the event is being set-up to enable it to run on a particular environment or for a particular application or use.
deploy The target resource is being positioned or made available for use by the initiator resource, but is not yet started.
General Resource MgmtLegend:
Monitoring
Workload & Data Mgmt
45. 45
CADF Action Taxonomy hierarchy (2 of 3)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
disable The initiator resource is causing the target resource [that has been started] to disallow or block some set of functions.
enable The target resource (that has been started) is being changed by the initiator resource to allow or permit some set of functions.
restore The initiator is requesting the target resource (or some portion of it) be restored from persistent storage.
start The target resource is being made functional by the initiator resource and able to perform or execute operations.
stop The initiator resource is causing the target resource to no longer be functional or able to perform or execute operations.
Undeploy The initiator resource is causing the target resource to no longer be positioned or available for use.
receive
The initiator resource is receiving a message or data from the target resource. Note that this is a separate action from any action the receiver performs based upon
the content of the message or with the data.
send The initiator resource is transmitting a message or data to the target resource. Note that this is a separate action from that of "creating" the message.
Legend:
Messaging
Workload & Data Mgmt
46. 46
CADF Action Taxonomy hierarchy (3 of 3)
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Name Description
authenticate The initiator resource is causing the target resource [that has been started] to disallow or block some set of functions.
login An extension of the authenticate action.
renew A security request from the initiator resource to renew a resource’s identity, credentials, or related attributes or privileges sent to the target resource (an authority).
revoke
A security request from the initiator resource to remove entitlements or privileges from a resource’s identity and/or credentials sent to the target resource (an
authority).
allow Indicates that the initiating resource has allowed access to the target resource.
deny Indicates that the initiating resource has denied access to the target resource.
evaluate Indicates the evaluation or application of a policy, rule, or algorithm to a set of inputs.
notify
Indicates that the initiating resource has sent a notification based on some policy or algorithm application – perhaps it has generated an alert to indicate a system
problem.
unknown
Indicates that the OBSERVER of the event is not, to the best of its ability, able to classify the exact action for the actual event it is reporting using any other valid
action taxonomy value.
Legend:
Security, Policy, Access
Control
Security Identity
47. 47
CADF Outcome Taxonomy hierarchy
Source: http://dmtf.org/sites/default/files/standards/documents/DSP0262_1.0.0.pdf
Value Description
success The attempted action completed successfully with the expected results.
failure The attempted action failed due to some form of operational system failure or because the action was denied, blocked or refused in some way.
unknown The outcome of the attempted action is unknown and it is not expected that it will ever be known.
pending
The outcome of the attempted action is unknown, but it is expected that it will be known at some point in the future.
A future event correlated with the current event may provide additional detail.
48. 48
10 Steps to Manage Cloud Security
Focus areas Standards Certifications
Step 1: Ensure effective governance, risks & compliance
• ISO 38500 – IT Governance1
• COBIT
• ITIL (ISO 27002)
• ISO 20000-7 & ISO 20000-11 (jn devl)
• SSAE 16
• PCI-DSS
• ISO 27002 (ISO 27017)
• SSAE 16
• HIPAA
• PCI-DSS
• FedRAMP
• FISMA
Step 2: Audit operational and business processes
• DMTF Cloud Auditing Data Federation
(CADF)
• ISO 27002 (ISO 27017)
• SSAE 16
Step 3: Manage people, roles and identities
• ISO 27002
• IAM Kerberos, LDAP, SAML 2.0, Oauth
2.0, WS-Federation, OpenID Connect
• SCIM
• Active Directory Federated Services
(ADFS2)
• XACML
• PKCS, X.509, OpenPGP
• ISO 27002 (ISO 27017)
Step 4: Ensure proper protection of data & information
• ISO 27002 / 27017 (in devl)
• Data in motion: HTTPS, SFTP, VPC
using IPSec or SSL
• US FIPS 140-2
• OASIS KMIP
• ISO 27002 (ISO 27017)
Ref: Cloud Standards Customer Council URL: http://www.cloud-council.org/Cloud_Security_Standards_Landscape_Final.pdf
49. 49
10 Steps to Manage Cloud Security
Focus areas Standards Certifications
Step 5: Enforce privacy policies
• Personally Identifiable Information
(PII)
• U.S – EU Safe Harbor framework
• ISO 27018 (in devl)
• TRUSTe Safe Harbor certification
seal program
• ISO 27018 (in devl)
Step 6: Assess the security provisions for cloud apps
• NIST Guidelines on Firewalls and
Firewall Policy
• Open Web Application Security Project
(OWASP)
• OVF 2.0 & OASIS TOSCA
• ISO 27002 (ISO 27017)
Step 7: Ensure cloud networks and connections are secure
• ISO 27001 & 27002
• ISO/IEC 27033-1/2/3
• FISMA (FIPS 199 & 200)
• OpenFlow, TM Forum Frameworx, NIST
SP 800-53
• ISO 27002 (ISO 27017)
Step 8: Evaluate security controls on physical infrastructure &
facilities
• ISO 27002
• ISO 27017 & 18 (in devl)
• ISO 27002 (ISO 27017)
Step 9: Manage security terms in the cloud SLA
• CSCC Practical Guide to SLA
• ISO 27004, NIST SP 800-55
• CIS Consensus Security Metrics
• ENISA
• ISO 27002 (ISO 27017)
• SSAE 16 (financial)
Step 10: Understand the security requirements of exit process • None, ISO SC38 WG3 (future) • None
Ref: Cloud Standards Customer Council URL: http://www.cloud-council.org/Cloud_Security_Standards_Landscape_Final.pdf
50. 50
References
• Cloud Standards Customer Council (CSCC) Cloud Security Standards
• Cloud Auditing Data Federation
• NIST Cloud Computing Standards Roadmap
• Detailed CSA TCI Reference Architecture
• Payment Card Industry (PCI) Data Security Standards (DSS) Guidelines
• OpenStack wiki
• OpenStack Main Page
• OpenStack Developers Guides
• Cloud Audit Data Federation - OpenStack Profile
• Cloud Auditing Data Federation (CADF) - 5 Data Format and Interface Definitions Specification (DSP0262_1.0.0)
• CADF Event Model and Taxonomies
• NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
52. 52
Conclusion
• The world is becoming more digital
• Cloud is all about services and service
delivery
• The cloud is only worth the services it
delivers
• Cloud is all about a hybrid world
55. 55
Cloud expected benefits and trade-offs
Expected Benefits:
• Economies of Scale
• Multi-Tenancy
• Capacity Utilization
• “Zero” capex model
• Long term Total Cost of Ownership for IT Services
• Lower barriers to entry for new business models which
were constrained by the IT resources in the past
• Allows Businesses to focus more on their core
competencies
• Speed and Flexibility of business Changes
• On Demand self service
• Automation
• Standardization
• Elasticity
• Pay per Use Model
• Reduced time to market
• Efficiency in global communication and collaboration
Potential risks & trade-offs:
• Security, Privacy, and Data Confidentiality
• Loss of Control & Governance
• Vendor Lock-in
• Management Interface Compromise
• Incomplete or Insecure Data Deletion, Data Protection
• Malicious Insider & Investigative Support
• Segmentation or, Isolation Failure
• Availability, Reliability, Speed, Cost
• Learning Curve
• Quality of support
• Change in organization culture
• Interoperability Standards; Portability for Legacy IT in Clouds
• Shift in Liability
• Regulatory Compliance
• Transparent Infrastructure Scalability
• Application Deployment Mechanisms
• Economic Modeling of new Market
56. 56
OpenStack Feature Releases
Release Date Projects
Austin Nov 2010 Nova and Swift
Bexar Feb 2011 Nova, Swift, and Glance
Cactus Apr 2011 Nova, Swift, and Glance
Diablo Sep 2011 Nova, Swift, and Glance
Essex Apr 2012 Nova, Swift, Glance, Horizon, and Keystone
Folsom Sep 2012 Nova, Swift, Glance, Horizon, and Keystone
Grizzly Apr 2013 Nova, Swift, Glance, Horizon, and Keystone
Havana Oct 2013 Nova, Swift, Glance, Horizon, Keystone, Heat, Ceilometer, Neutron, and Cinder
Icehouse Apr 2014 Nova, Swift, Glance, Horizon, Keystone, Heat, Ceilometer, Neutron, Cinder, and Trove
Juno Nov 2014 Nova, Swift, Glance, Horizon, Keystone, Heat, Ceilometer, Neutron, Cinder, Trove, and
Sahara
Kilo Apr 2015 TBD
57. 57
NIST CC Security Reference Architecture
Cloud Consumer
Cloud Provider
Cloud Service
Management
Cloud Carrier
Cloud Auditor
Cloud
Consumer
Provisioning/
Configuration
Portability/
Interoperability
Security
Audit
Privacy Impact
Audit
Performance
Audit
Business
Support
Physical Resource Layer
Hardware
Facility
Resource Abstraction and Control
Layer
Service Layer
IaaS
SaaS
PaaS
Cloud Orchestration
Cross Cutting Concerns: Security, Privacy, etc
Cloud Broker
Service
Intermediation
Service
Aggregation
Service
Arbitrage
60. 60
Planning Guide for Infrastructure as a Service (IaaS)
Source: http://blogs.technet.com/b/privatecloud/archive/2012/04/05/planning-guide-for-infrastructure-as-a-service-iaas.aspx
61. 61
Cloud Computing Audit Checklist
Ref Book: Auditing Cloud Computing: A Security and Privacy Guide by Ben Halpert and Jeff Fenton
Source: http://onlinelibrary.wiley.com/doi/10.1002/9781118269091.app1/pdf
• Cloud-Based IT Audit Process (11)
• Cloud-Based IT Governance (4)
• System and Infrastructure Life Cycle Management for the Cloud (3)
• Cloud-Based IT Service Delivery and Support (5)
• Protection and Privacy of Information Assets in the Cloud (5)
• Business Continuity and Disaster Recovery (4)
• Global Regulation and Cloud Computing (5)
• Cloud Morphing: Shaping the Future of Cloud Computing Security and Audit (4)
63. 63
How the Audit Filter Pushes Audit Events to Ceilometer
Source: https://wiki.openstack.org/w/images/e/e1/Introduction_to_Cloud_Auditing_using_CADF_Event_Model_and_Taxonomy_2013-10-22.pdf
64. 64
CADF API Auditing with Ceilometer - How it works…
Source: https://wiki.openstack.org/w/images/e/e1/Introduction_to_Cloud_Auditing_using_CADF_Event_Model_and_Taxonomy_2013-10-22.pdf
